Case Study
AI-Powered Security Intelligence for a Statewide Health Information Exchange
How Xpio implemented Pryzma with Claude API via AWS Bedrock to transform compliance monitoring from reactive manual review to continuous AI-driven threat intelligence.
- Patient access events monitored
- Millions
- Patient population covered
- Statewide
- Organizations in network
- 200+
- Continuous AI monitoring
- 24/7
Pryzma Mission Control, representative dashboard with fictional data
The Challenge
Manual compliance doesn't scale.
Manual compliance monitoring across hundreds of healthcare organizations connected to a statewide health information exchange
No automated way to detect anomalous patient access patterns, snooping, self-access, after-hours activity, coordinated breaches
HIPAA compliance reporting required massive manual effort with inconsistent results across organizations
Daily CVE and threat intelligence needed to be correlated against the actual infrastructure and codebase
No unified view of who accessed patient data, when, why, and whether it was appropriate
What Xpio Built
Pryzma + Claude API: continuous AI-powered compliance intelligence.
Agent Pryzma, AI Security Briefings
Xpio implemented Claude Opus via AWS Bedrock to generate military-style intelligence briefings for every flagged user. Threat assessment, pattern analysis, risk factors, and recommended action tiers, all from millions of access events analyzed in real time.
Sigma-Based Anomaly Detection
Our team built statistical 2σ/3σ deviation detection across five behavioral dimensions: self-access, patient obsession, peer deviation, temporal anomalies, and burst activity. Adaptive thresholds that learn from investigation outcomes.
Daily CISO Threat Briefings
Xpio engineered automated daily security intelligence correlating external CVEs against the actual codebase and infrastructure. RED-tier alerts trigger SMS to on-call. Threat scores, attack surface changes, and prioritized action items.
TEFCA-Ready Architecture
Built for interoperability at scale. FHIR R4-native data pipeline, standardized exchange protocols, and trusted framework alignment, positioning the HIE for TEFCA participation and nationwide health data connectivity.
Patient Compliance Dossier
Xpio built a unified timeline showing every access to a patient's data across the entire HIE, who looked, when, from which organization, through which system. Complete HIPAA audit trail.
Revenue Attribution Intelligence
Maps patient access across 200+ organizations to identify revenue impact and utilization patterns. Organization hierarchy benchmarking across 7 classifications.
8-Layer AI Governance
Our security team implemented NIST AI RMF-aligned guardrails: rate limiting, token budgets, PHI regex scanning, confabulation detection, required section validation, severity-based blocking, and full audit logging of every AI interaction.
Real-Time FHIR R4 Pipeline
Stream processing of HL7v2 messages from 100+ connected interfaces, transformed to FHIR R4 resources in real time. Millions of clinical resources in the CDR with sub-second query response.
Architecture
Built on Claude Opus 4.6 via AWS Bedrock.
Enterprise-grade AI with HIPAA-compliant infrastructure. Every AI interaction governed, audited, and rate-limited.
AI Engine
Claude Opus 4.6 via AWS Bedrock
Compute
GCP Cloud Run (serverless)
Data Warehouse
Google BigQuery (70+ tables)
Integration
HL7v2 → FHIR R4 pipeline
Results
From manual review to continuous intelligence.
Millions
Patient access events continuously monitored for anomalous patterns
< 50ms
Query response time with intelligent caching (down from 30+ seconds)
5 Detection Vectors
Self-access, patient focus, peer deviation, temporal anomaly, burst activity
Daily
Automated CISO briefings with CVE-to-codebase correlation and threat scoring
0 → 100
AI confidence scoring on every threat assessment, tracked for accuracy over time
Full PHI Protection
Automated redaction in all AI outputs, audit trails, and compliance documentation
Under the Hood
How Claude API drives the intelligence layer.
Threat Assessment Briefings
When the anomaly detection engine flags a user, Claude Opus receives the full context: baseline access statistics, all detected anomalies, self-access alerts, patient focus patterns, peer deviation scores, prior investigation history, and operational intelligence. It generates a structured intelligence briefing with threat tier (CRITICAL → MINIMAL), confidence score (0-100), and recommended action tier (1-5).
▸ THREAT ASSESSMENT: HIGH
▸ CONFIDENCE: 87/100
EXECUTIVE SUMMARY: User accessed 47 unique patients in a 3-hour window, 4.2σ above peer baseline. Pattern consistent with unauthorized bulk review...
▸ RECOMMENDED ACTION: TIER 3, Escalate to Privacy Officer
Daily CISO Intelligence
Every morning at 6 AM, Claude correlates the latest CVE disclosures against the actual codebase, infrastructure dependencies, and architecture. It produces a threat score (0-100), matched CVEs with attack surface analysis, and prioritized action items. RED-tier alerts trigger immediate SMS to the on-call security team. All patient data is automatically redacted before reaching the AI.
AI Governance & HIPAA Compliance
Every Claude API call passes through 8 compliance guardrails mapped to NIST AI RMF and HIPAA requirements. Pre-call enforcement handles rate limiting and minimum necessary data principles. Post-call enforcement scans for PHI leakage (SSN patterns are blocked, DOB patterns generate warnings), validates required briefing sections, and runs confabulation detection. Every interaction is logged to an immutable audit table with user, model, token count, cost, response time, and guardrails triggered.
Ready for AI-powered compliance?
Xpio is the implementation partner for Pryzma. Whether you're a health information exchange, a state agency, or a behavioral health organization, we build and deploy it.
Get in Touch